Everything about security

My friend made a file storage website that he says is super secure. Can you prove him wrong and get the admin password?

After we sign up and login, the website allows us to upload files from URLs. At first, I tried to upload some php scripts, however php is disabled at the web server. Still, I noticed that uploaded files are under /files directory. Since the hint was “Can’t solve it? Git gud.”, I just wanted to check if .git folder exists under /files directory.

1

2

$curl http://web2.angstromctf.com:8899/files/.git

[Errno21]Isadirectory:u'.git'

So, we have an existing git repository on the server. I dumped it using gitdumper and got the application’s source code.